From 10.52 USD

3.27 USD mo.  + 3  Months Extra

10 devices 1 User

See All Plans

30-Day Money-Back Guarantee

Receive a full refund if ApexGuard doesn’t meet your expectations.

Special Offer | Save 60%
GET APEX
GET APEX
Getting Started
Setup guide Frequently asked questions
General Information
Configuration Troubleshooting
Account & Billing
Account Billing
Platforms
Windows macOS Android iOS Linux Extensions Router

Setting Up ApexGuard on AsusWRT-Merlin Firmware

Learn how to use ApexGuard

Get started and stay protected

1. Prerequisites

  1. Asus router running AsusWRT-Merlin firmware (e.g., version 384.19 or higher).
  2. SSH/Command-line access enabled on your router.
    • In the Merlin web GUI:
      • Go to AdministrationSystem.
      • Enable SSH and set credentials.
  3. ApexGuard IKEv2 credentials (server address, pre-shared key, user credentials or certificates).
  4. Entware installed on your router (for installing strongSwan).

If you haven’t installed Entware yet, consult theAsusWRT-Merlin Entware wiki for instructions.

2. Install strongSwan via Entware

SSH into the router using a terminal app (PuTTY, Terminal, etc.):

ssh admin@192.168.1.1
  1. Replace admin and 192.168.1.1 with your actual username/IP if changed.

Update Entware’s package list:

opkg update

Install strongSwan:

opkg install strongswan
  1. This installs the core strongSwan IKEv2/IPsec binaries.

(Optional) Install additional plugins if required by ApexGuard (e.g., strongswan-mod-eap-mschapv2, strongswan-mod-eap-tls, or others):

opkg install strongswan-mod-eap-mschapv2
opkg install strongswan-mod-eap-identity
...

3. Gather Your ApexGuard IKEv2 Details

  1. Log into your ApexGuard account.
  2. Navigate to Advanced SettingsSet up ApexGuard manuallyService Credentials / IPsec credentials.
  3. Note the:
    • Server address (e.g., ikev2.apexguard.com or IP).
    • Pre-shared key (PSK) if using PSK-based IKEv2.
    • Username/Password (if EAP-based).
    • Certificate files (if certificate-based).

For this example, we’ll assume:

  • Server: ikev2.apexguard.com
  • PSK: YOUR_PSK_HERE
  • Local username (if EAP is used): YOUR_USER_HERE
  • We’ll show a basic PSK-based example.

4. Create/Modify the strongSwan Configuration

strongSwan’s main configuration lives in /opt/etc/strongswan.conf and /opt/etc/ipsec.conf (and sometimes /opt/etc/ipsec.secrets). Below is a minimal example for a PSK-based “road warrior” scenario. Adjust to match ApexGuard’s recommended phase 1/phase 2 proposals.

4.1 strongswan.conf

Create or edit the file /opt/etc/strongswan.conf:

# /opt/etc/strongswan.conf
charon {
# Plugins you need, e.g. for kernel-netlink, stroke
load_modular = yes
install_routes = no
# Logging, optional
filelog {
/opt/var/log/strongswan.log {
time_format = %b %e %T
append = no
default = 1
flush_line = yes
}
}
}

This is a basic config that tells charon (the IKE daemon) to load modules and sets up a log file.

4.2 ipsec.conf

Create or edit the file /opt/etc/ipsec.conf:

# /opt/etc/ipsec.conf
config setup
uniqueids = never
conn apexguard-ikev2
# IKE settings
keyexchange = ikev2
ike = aes256-sha512-modp2048!
esp = aes256-sha512!
# Adjust proposals as needed
# Remote server
left=%defaultroute
leftid=%any
leftauth=psk
leftsourceip=%config     # Request an internal IP if supported
# Right side: ApexGuard server
right=ikev2.apexguard.com
rightauth=psk
rightsubnet=0.0.0.0/0   # If you want to route all traffic
auto=add

Note:

  • ike = aes256-sha512-modp2048! and esp = aes256-sha512! are examples. Use the ciphers that ApexGuard recommends.
  • auto=add means we only add the connection and bring it up manually or via ipsec up apexguard-ikev2. Alternatively, use auto=start if you want the tunnel to start automatically on boot.

4.3 ipsec.secrets

Create or edit /opt/etc/ipsec.secrets to store your pre-shared key:

# /opt/etc/ipsec.secrets
: PSK "YOUR_PSK_HERE"

If you need a different identity or EAP-based user credentials, the syntax changes. For example:

YOUR_USER_HERE : EAP "YOUR_PASSWORD_HERE"
: PSK "YOUR_PSK_HERE"

5. Start and Enable strongSwan on Boot

Start strongSwan manually:

ipsec start

Test your config:

ipsec up apexguard-ikev2
  • If all is correct, you should see negotiation messages concluding with something like connection 'apexguard-ikev2' established successfully.
  • If not, check /opt/var/log/strongswan.log for errors.

Create or edit /jffs/scripts/post-mount (if it doesn’t exist, create it with chmod +x /jffs/scripts/post-mount):

#!/bin/sh
if [ -x /opt/sbin/ipsec ]; then
ipsec start
fi
  • Alternatively, add commands to /jffs/scripts/services-start or a similar startup script. The key is to ensure that Entware is mounted before starting strongSwan.

6. Configure Policy Routing or NAT (Optional)

6.1 Policy Routing

If you want all LAN devices to route traffic through the IKEv2 tunnel, you can set up policy-based routing or manually add routes. For example, in Merlin’s GUI:

  1. Go to LANRoute (or use FirewallRouting rules for policy-based).
  2. Add static routes or define rules for the LAN subnet to go via the IPsec tunnel interface.

However, strongSwan by default will “install routes” if leftsourceip=%config and install_routes=yes are used (in strongswan.conf). You may also need a NAT rule if the ApexGuard server expects NATed traffic.

6.2 NAT on the Router

Create or edit /jffs/scripts/firewall-start:

#!/bin/sh
iptables -t nat -A POSTROUTING -o ipsec0 -j MASQUERADE
  1. Replace ipsec0 with the actual interface name strongSwan uses (sometimes ip_vti0, vti1, etc., depending on your setup).

Make it executable:

chmod +x /jffs/scripts/firewall-start

Check logs (ipsec statusall) or ip a to confirm the IPsec interface name.

7. (Optional) Use Certificates or EAP for IKEv2 Auth

  • Upload your CA, client certificate, and key to /opt/etc/ipsec.d/ (e.g., cacerts/, certs/, private/).

Modify /opt/etc/ipsec.conf:
ini

leftauth=pubkey
leftcert=clientCert.pem
leftfirewall=yes
rightauth=pubkey
...
  • Modify /opt/etc/ipsec.secrets for the private key if it’s passphrase-protected.

Install EAP modules:

opkg install strongswan-mod-eap-mschapv2
opkg install strongswan-mod-eap-identity

In ipsec.conf:
ini

leftauth=eap-mschapv2
leftid=YOUR_USER_HERE
rightauth=psk  # or rightauth=eap, depending on apexguard requirements

In ipsec.secrets:
ini

YOUR_USER_HERE : EAP "YOUR_PASSWORD_HERE"
: PSK "YOUR_PSK_HERE"

8. Verify the Tunnel

Check the status:

ipsec status
ipsec statusall
  1. You should see the apexguard-ikev2 connection “ESTABLISHED” or “INSTALLED.”
  2. Test traffic:
    • From a LAN device, visit a “what’s my IP” site or the ApexGuard dashboard to verify your public IP reflects the VPN.
    • If you only see your ISP IP, you might need policy routing, NAT, or check that the tunnel is up.

9. Optional: Kill Switch & Fail-safe

Unlike the Merlin GUI’s built-in kill switch for OpenVPN, you must manually script it for IPsec:

  1. Add iptables rules in firewall-start that drop outbound traffic if the ipsec0 interface goes down.

For example:

#!/bin/sh
# Block all traffic if ipsec0 is NOT available
iptables -I FORWARD -s 192.168.1.0/24 -o $(nvram get wan0_ifname) -j DROP
# Then allow traffic if ipsec0 is up
iptables -I FORWARD -s 192.168.1.0/24 -o ipsec0 -j ACCEPT
  1. Adjust interface names, subnets, and chain order as needed.

Was this article helpful?

Thank you, you're making us better!

Related articles

Configuring IPFire Firewall to Connect to ApexGuard EdgeRouter and Ubiquiti Setup with ApexGuard Setting Up ApexGuard on TP-Link Routers Which Router Should I Use with ApexGuard?